Reliability Demonstration Approach for 
Advanced Stirling Radioisotope Generator 


Chuong Ha 1 

Lockheed Martin Space Systems, Sunnyvale, CA, 94089 
Edward Zampino 2 

NASA Glenn Research Center, Cleveland, OH, 44135 

Barry Penswick 3 
Sunpower, Athens, OH, 45701 

and 

Michael Spronz 4 
Sestlnc., Cleveland, OH, 44135 


Developed for future space missions as a high-efficiency power system, the Advanced 
Stirling Radioisotope Generator (ASRG) has a design life requirement of 14 yr in space 
following a potential storage of 3 yr after fueling. In general, the demonstration of long-life 
dynamic systems remains difficult in part due to the perception that the wearout of moving 
parts cannot be minimized, and associated failures are unpredictable. This paper shows a 
combination of systematic analytical methods, extensive experience gained from technology 
development, and well-planned tests can be used to ensure a high level reliability of ASRG. 
With this approach, all potential risks from each life phase of the system are evaluated and 
the mitigation adequately addressed. This paper also provides a summary of important test 
results obtained to date for ASRG and the planned effort for system-level extended 
operation. 
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I. Introduction 

T HE ASRG is being developed by the Department of Energy and NASA 1 as a highly efficient power system for 
potential use in future space exploration missions, including deep space missions and surface applications. With 
the engineering development phase complete in 2008, 2 * the qualification design effort is well underway for flight 
readiness. One of the key requirements of the ASRG is the capability to perform its functions for a 17-yr design life 
with a probability of success of at least 90%. The required design life consists of a 14 yr operation in space 
following a potential storage of 3 yr in controlled environments after fueling. While this design life is typical for 
deep space mission systems as well as for commercial satellites, reliability demonstration for onboard continuously 
running mechanisms remains a key challenge. For example, attitude control subsystems of spacecraft such as gyros 
and momentum wheels could reach between 3000 to 8000 rpm. In the case of the Advanced Stirling Convertor 
(ASC) units of the ASRG, the moving free-piston and displacer subsystem operates at about 102 Hz. Thus, for a 17- 
yr design life the total number of cycles is predicted to reach 55 billion (5.5 xlO 10 ). Clearly, a system testing at such 
long duration and high cycle levels is impractical. Instead, extensive knowledge accumulated throughout the 
development years has led to these key observations: 

ASRG reliability demonstration cannot be based exclusively on a single, classic life test but must rely on a 
combination of analytical models and alternative tests. 

Moving parts only represent one aspect of the complete ASRG functionality. Any potential life-limiting 
risks from moving parts as well as other subsystems must be thoroughly understood and adequately 
mitigated. 

Random and wearout failures are applicable to specific life phases of the design and must be tackled 
differently. 

Capability to simulate subsystem interface and performance in all expected operating conditions is essential 
to ensure mission success. 

Well-planned qualification and accelerated testing at component or subsystem levels can also provide 
valuable data for reliability modeling and demonstration. 

II. ASRG Design 

As shown in Fig. 1, the overall ASRG system consists of the Generator Housing Assembly (GHA) and the 
Advanced Controller Unit (ACU). The GHA encloses two ASCs that are mounted in opposite directions, the 
associated General Purpose Heat Source (GPHS) units, the heat support assemblies, and the thermal insulation 
material segments. For ground operation, the GHA is filled with inert gas to protect the GPHS graphite material 
from oxidation. During launch ascent, the barometric pressure decrease will trigger a diaphragm puncture inside the 
Pressure Relief Device (PRD), evacuating the inert gas. 

As a free-piston Stirling convertor, the ASC is designed to convert the GPHS heat into alternating current (ac) 
electrical power. Helium is used as the working gas, hermetically contained within the ASC pressure vessel. At a 
frequency of about 102 Hz, the displacer and piston assemblies reciprocate with helium pressure variations between 
the expansion and compression spaces. The ac electrical power is produced from the linear alternator that consists of 
laminations, alternator coil, and moving magnets. Inside the ASC, a high-porosity matrix made of corrosion- 
resistant material allows heat recovery of the working gas between expansion and compression cycles. The Cold 
Side Adapter Flange (CSAF) provides both structural connection of the ASC to the GHA and a heat rejection path to 
the outer shell and radiation fins. The electrical power generated by the ASC is sent to the controller via two 
hermetic feedthroughs. 

With the possibility to be mounted remotely inside the spacecraft or on the rover, the ACU provides the 
operational control of the ASCs and the system telemetry signals. The ACU is an active-power-factor design with a 
fixed-frequency operating point. The ACU synchronizes the ASCs to minimize the dynamic vibration and convert 
the ac to direct current (dc) power. In case of dc bus off-nominal conditions, the ACU regulates the excess power 
with the Shunt Dissipation Unit, mounted at the GHA end to take advantage of a better heat rejection capability. 
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b) Cut-away view of Generator Housing Assembly 
Figure 1. ASRG Subsystems and Components 


III. Tasks of the ASRG Reliability Demonstration Approach 

The ASRG reliability demonstration activities can be grouped into four major categories as depicted in Fig. 2. 
Those categories are 

a) Risk identification using expert solicitation and Failure Modes, Effects, and Criticality Analysis 
(FMECA) to provide an early identification of the potential failure modes 

b) Risk quantification using reliability modeling to quantify the risks at component and system levels 

c) Risk mitigation with applicable tests and analyses 

d) Final risk integration to provide an assessment of the system-level reliability 

In this context, risk is defined as being applicable to reliability since it relates directly to the severity and 
likelihood of failure modes. In general, the four task categories are performed in sequence but can be iterated as 
necessary. Details of each task category are provided in the following sections. 
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Figure 2. Tasks of the ASRG Reliability Demonstration 


A. Risk Identification 

At the beginning of the ASRG program, when design details were still evolving in many areas, the development 
team decided that a risk identification process must be implemented and maintained regularly. In steps with the 
design activity progress, this effort would identify any life-limiting risks and keep track of mitigation actions. The 
risk identification process has benefited significantly from inputs of experts at NASA Glenn Research Center, 
NASA Jet Propulsion Laboratory, Sunpower, and Lockheed Martin. Insights from the designers also formed a 
valuable understanding of the system characteristics. Using the FMECA technique, the potential failure modes of 
each component and associated impacts were systematically identified. The failure mode severity is ranked based on 
three simple qualitative levels: 1) no impacts on power performance; 2) reduced or degraded power performance; 
and 3) imminent or catastrophic loss of power performance. In terms of likelihood ranking, the five-level system 
from MIL-STD-1629A 3 was adopted to allow the necessary resolution. In this system, the highest value (5) 
represents a frequent occurrence while the lowest value (1) represents an unlikely one. The failure mode criticality is 
then calculated as Severity times Likelihood. As output, the FMECA provides a criticality matrix that involves all 
components in the system. Critical items considered as potential single point failures are clearly listed for 
monitoring and mitigating. 

B. Risk Quantification With Reliability Models 

Following the risk identification process with FMECA, we generated the reliability models for both components 
and the full system to quantify the risks. Usually, the component reliability models are not needed because the 
derivation of failure probability relies on analysis of existing test results and usage history. Most of the electronic 
parts have established standard methods and vendor database for their qualification analysis. However, when the 
design is new or only limited test data are available, some iteration is required. Several reliability component models 
must have initially utilized similar equipment data and then gradually switched to actual data as qualification or 
accelerated tests were completed. In other instances, the component reliability models were generated using Finite 
Element Analysis (FEA) for stress- strength interference prediction. Most of these FEA models applied to structural 
components. When the design data was available, the component reliability models took into account the relevant 
uncertainties from design and operating condition parameters. As data from the qualification and accelerated tests 
became available, the stress-strength interference predictions were updated accordingly. 

At the system level, we preferred the Fault Tree Analysis (FT A) model to integrate the results obtained from the 
component analysis process described previously. In order to generate the fault tree logic, a review of each 
subsystem FMECA (ACU, ASC, and GHA) and the system spec requirements was necessary. Information from the 
FMECA provides input to build the basic failure events and the spec requirements to construct the fault logic. The 
FT A model details were updated as needed providing the risk drivers and contributions from components and 
subsystems at periodic reviews. 
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C. Component and Subsystem Accelerated Tests 

Many of the ASRG components are qualified with accelerated testing. These tests not only validate the design 
margins but also provide inputs to the reliability analyses. However, due to the fundamental operating characteristics 
of the free piston — linear alternator configuration of the ASC — it is extremely difficult to carry out the classical 
approach of employing various accelerated testing at the full system. The primary cause of this limitation is the 
relatively narrow operating envelope of the Stirling engine from the viewpoint of operating speed (frequency), 
mechanical loads (pressure), electrical loads (alternator capabilities), and temperatures (heater head creep, magnet 
degradation, etc.), leaving little if any parameters available for system accelerated testing. 

To overcome this fact, the development team has employed risk mitigation effort for a wide range of component 
tests to define their key durability and reliability characteristics under normal and extreme load conditions. The 
following table provides a set of such testing efforts. 

Table 1. Component Accelerated Tests. 


Component Type 

Purpose 

Results 

Heater head 

Verify creep rate at 1 .4 times 
nominal peak internal pressure 
and 869 °C max. temperature 

Interim measured creep rate at half of 
predicted value 

Heater head 

Permeability test of thin wall 
specimens at 850 °C and 6% 
strain 

No leakage found 

Fasteners 

Use destruction torque to verify 
nut factor and joint load capacity 

Each fastener type was tested with 30 
samples — high strength results obtained 

Organics 

Magnet bonding material aging 
characterization with exposure 
up to 1.8 times nominal 
operating temperature 

No significant changes at 2 yr aging in 
terms of weight change and mechanical 
properties 

Organics 

Gamma irradiation tests of 
organics used in the ASC at 5, 
1 0, and 1 5 Mrad 

Large margins for operating conditions 
confirmed — ongoing tests 

Linear alternator 

Determine maximum 
temperature for onset 
demagnetization 

The onset temperature of nonrecoverable 
degradation determined 

Displacer spring 

Verify fatigue endurance 

High margin results obtained with step- 
stress tests — additional tests with constant 
stress method ongoing — spring material 
to be tested at giga cycles level 

Power feedthrough 

Verify hermeticity with 
increasing temperature up to 4 
times nominal operating 
temperature 

Five different model samples tested; 
ceramic seal selected over glass; 
additional tests with elevated temperature 
and axial loads also show very high 
margins 

Insulation material 

Verify long-term shrinkage of 
samples at max. temperature 
950 °C 

Interim data at 8000 hr collected — 
shrinkage ranging from 2 to 1 0% 
depending on insulation layer temperature 


In T able 1 , it is significant to note that 

Most of the ASC fasteners are 2 mm in size; therefore, extremely small by conventional structural 
standards and in a number of cases represent potential single point failures. This size characteristic 
required a master buy of fasteners along with extensive testing for both the fastener material as well as 
the installation torque for all operating conditions. This latter effort required a careful test planning to 
simulate mechanical joints of the convertor since a wide range of materials are employed. 

Linear alternator design limits are critical to defining the safe operating conditions for this critical 
component. A unique test rig, called a Hot Alternator Test Rig (Fig. 4), was employed in this process. 
The test rig allows the test ASC alternator to be driven at various amplitudes and power levels while 
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being heated to selected temperatures. These temperatures allowed definition of the onset of magnet 
degradation in the actual ASC alternator configuration and structural limits for the various materials 
employed in the hardware. 

Displacer spring is one critical component of the ASC moving parts, operating at a nominal frequency 
of 102 Hz. The spring design has benefited significantly from the extensive experience at Sunpower 
with the cryocooler models, one of which was flight proven. 4 T esting of multiple springs over a wide 
range of stress conditions with the step-stress method has provided a good margin for the predicted 
spring reliability. To reduce the uncertainty of the fatigue threshold, an additional set of tests with the 
constant-stress method is currently being performed. Due to the extremely large number of stress cycles 
(5.5 xlO 10 ) experienced by this component, a test plan is also underway to use a high- frequency shaker 
to reach or even exceed the full design cycles on spring material samples. 



Figure 3. Magnet Aging Test 



Figure 5. Heater Head 
Benchmark 

1) «h4-a T'ac(4- 



Figure 4. Hot Alternator Test 

ns. 



Figure 6. Displacer Spring Test Station 
With Linear Motor Drives and Controllers 


D. Integrated Simulation Model 

One aspect of the ASRG reliability sensitivity is the interface between the ASC and ACU. The ACU main 
requirements are to convert the output power from ac to dc and to synchronize the convertors in opposite direction to 
minimize mechanical vibration. As an autonomous system, the ACU is also expected to generate adjustment 
commands to adapt to changes such as usage load and operating temperature variations. Designed as single fault 
tolerant, the ACU relies on an N+l redundant scheme, using a standby control card as instant backup to any of the 
two primary control cards. While the ACU design requirements must be complete for all operating conditions and its 
functionality thoroughly tested, the addition of an analytical integrated model has offered many advantages in 
simulating nominal and off-nominal condition of interest. Known as System Dynamic Model (SDM) 5 , a 
computerized model of the ASC- ACU interface was developed at NASA Glenn to simulate conditions such as 
performance stability, system frequency response, and fault simulation with controller card switchover. Specifically 
for the latter case, SDM provided the maximum allowed time for switching between the primary and backup 
controller cards as a function of a buffer load resistance. With the capability to simulate both ASC and ACU 
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response parameters, SDM will allow validation of the ACU control approach for conditions that the mission 
Concept of Operations could envision. 


E. Risk Mitigation With Subsystem Durability Tests 

The objective of the durability tests is to demonstrate the ASC robustness in overstress conditions. As a preferred 
approach, we plan to overstress the convertor but avoid damaging so that an extended operation test can be 
performed afterwards. This implies a careful planning in stress amplitudes and application timing during the test. 
Overall, the sequential tests for the ASC when subjected to the durability test include 

Acceptance tests at delivery 

Run-in test between 500 to 1000 hr to characterize basic performance 
Sequence of overstress tests and associated post-test performance checks 
Extended operation to demonstrate long life 

We considered 10 types of tests that could subject the ASCs to overstress conditions. Table 2 provides the list of 
tests and associated priority and rationale. After reviewing other concurrent tests and existing results, the priority 
was assigned to each of the considered tests. Plans are underway to execute all the tests with high priority. 

Table 2. ASRG Durability Tests 


Overstress Parameter 

Priority 

Rationale 

ASC piston over- stroke 
during random vibration 

High 

- To simulate potential piston collisions during high vibration 
conditions; number of over-strokes during test controlled with 
commanded amplitude 

ASC piston over- stroke 
during out-of-control time 

High 

- To simulate prolonged off-nominal conditions such as out of 
control or switchover 

Static acceleration 

High 

- To simulate high static acceleration during liftoff or landing 

- To be tested with centrifugal accelerator 

High temperature cycling 

Medium to high 

- To simulate extreme temperature effects on ASC operation 

- Potential high stresses for alternator components 

- Test could be combined with extended operation 

Piston amplitude 

High 

- High stress effects on most ASC components 

- Moving parts subjected to accelerated stress factor 

- Test could be combined with extended operation 

Startup and shutdown cycles 

High 

- To ensure the ASC moving parts robustness during various 
ground operation and tests before final fuel loading 

Shock test 

Low to medium 

- Shock tests already being planned for system qualification 

- Engineering system successfully passed 3000 g shock test 

Random vibration 

Low 

- Tests already being planned for system qualification 

- Some past tests went to qualification level and beyond 

Radiation 

Low 

- Test with whole alternator completed successfully 

- Coupons of material are being tested at Mrad level 

- Use radiation hardening rating for established electronic parts 

Pressure 

Low 

- High values of pressure already being utilized in creep and 
permeability tests 

- Limited variations allowed for a stable ASC operation 


F. Reliability Experience With Similar Designs 

Like any other technology development project, the ASRG design must go through successive changes and 
refinements for improvements. 6 In 2000, the development program initially started with the Technology 
Demonstration Convertor (TDC) to produce a 110-W Stirling Radioisotope Generator (SRG-110). Then in 2006, 
under the redirection of the Department of Energy (DOE) and NASA, the program integrated the ASC into the 
system for higher efficiency, maximizing the system specific power. Extensive knowledge accumulated from the 
development, testing, or fabrication processes provided the program with valuable information to ensure the system 
could meet its long life operation goal. 
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Particularly for the ASC, with the exception of the high operating temperature components such as the heater 
head and heat collector, the design represents a relatively straightforward application of the free-piston Stirling 
technology that has evolved at Sunpower. Various Sunpower commercial cryocooler products incorporate very 
similar sized planar springs for the displacer, gas hearing for the moving piston, and linear drive motor 
configuration. 

From the lessons learned of the development activities, the key efforts that have provided a strong basis for the 
system reliability and performance include the following: 

Ensure the regenerator will not generate debris during its long life operation through proven material 
selection and manufacturing process optimization 

Increase the design margins for high temperature components with selection of high creep endurance 
material and extensive validation tests 

Stringent acceptance tests of the gas bearing system to ensure noncontacting operating conditions 

between the moving parts under all conditions experienced by the ASC 

Provide a robust and accurate positioning of the ASC piston during all operating conditions 

Incorporate component material that will not contribute to possible degradation mechanisms 

Improve the robustness of fastener internal joints with high strength material and compatible thermal 

expansion coefficient 

Analyze and extensively test the unique environment of the launch phase to understand the interface 
ASC-ACU during high vibrations 

Implement an integrated quality assuranceprogram that covers all aspects of hardware development, 
manufacture, and testing — this effort is critical since the free-piston linear alternator Stirling convertor 
could be sensitive to small variations in various component parameters 
The following table summarizes the results of these efforts with the characteristics of the program convertors and 
their accumulated test hours from extended operation. With more ASC convertors entering the test program in 
support of the flight unit development, it is expected that further insights as well as total accumulated convertors 
operation hours will increase. 

Table 3. Extended Operation Tests at NASA Glenn (as of April 2010) 


Convertor 

System 

Accumulated 
Hours Per 
Unit 

Status 

Comments 

TDC #5 and TDC #6 

10,000 hr 

Stopped 

SRG-1 10 baseline design — thermal vacuum tested — no 
failures 

TDC #13 and TDC #14 

52,725 hr 

Ongoing 

SRG-1 10 baseline design — hermetically sealed after 
19,000 hr — no failures 

TDC #15 and TDC #16 

39,331 hr 

Ongoing 

SRG-1 10 baseline design — hermetically sealed after 4,000 
hr — no failures 

Total TDC hours 

208,315 hr 


ASC-1HS #1 

3,842 hr 

Ongoing 

Development design 

ASC-1HS #4 

7,824 hr 

Ongoing 

Development design 

ASC-0 #1 and #2 

15,378 hr 

Stopped 

Development design — piston of ASC-0 #1 drifted due to 
known causes from bum-in tests 

ASC-0 #3 and #4 

17,718 hr 

Ongoing 

Development design — piston design improved — no 
failures 

ASC-1 #3 and #4 

1,817 hr 

Ongoing 

Development design 

Total development ASC 

80,478 hr 


ASC-E #2 and #3 

9,613 hr 

Ongoing 

ASRG engineering unit system level test with controller 

ASC-E #1 

2,452 hr 

Ongoing 

Engineering ASC design 

ASC-E #4 

2.398 hr 

Ongoing 

Engineering ASC design 

Total ASC hours 

24,076 hr 
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G. Integrated System Extended Operation 

Traditionally, we use the extended operation (life test) to demonstrate the integrated design has eliminated 
potential random failures and wearout risks. These failure modes are applicable to the mid- and late-life phases of 
the system, rather than the early-life phase because infant mortality failures can be mitigated by extensive bum-in 
and qualification tests. Unlike the durability tests previously described, the extended operation tests drive the 
integrated system at nominal operating conditions for a target duration or as long as possible. It should be 
emphasized that life test, while very important, is not the only reliability measure of the system. Other component 
test data and analytical model results must be considered to arrive at a complete reliability prediction. As to 
complement other efforts, the focus of the extended operation is also on detecting failure modes and operation 
anomalies at the system level unforeseen by other analyses and tests. 

For ASRG, the 17-yr design life and continuous high cycle level operation have made impractical a full life test 
on the same test unit. Sensitivity calculations using the Weibull model 7 to reach the reliability target solely through a 
zero-failure life test plan, have led to sample size and test time that far exceed any program resources. Moreover, 
even a relaxation in confidence level (lower than 90%) gave little relief on test duration. Instead, we adopt the 
following approach for life test: 

Since the design has no contacts on moving parts, the random failure modes are assessed as more 
dominant contributors than the wearout failure modes during the entire system life. Random failures are 
independent of time and therefore the test duration target can be cumulative from a number of systems 
under test. 

Based on the recommendation of aerospace standards for moving mechanism, 8 the cumulative test 
duration goal is to achieve 1.5 times design life (or 25.5 yr). For a potential 2015 launch target, this goal 
is achievable with high confidence, using at least six systems (each with two ASCs), three of which will 
start in early 2011, and the remaining in early 2012. The estimated total accumulated hours from the 
ASCs of these six systems will reach 38 yr or larger than 2 times design life. 

Considering the insights gained from the existing life tests, the test duration from 4 to 5 yr would be 
sufficient to uncover any life-limiting risks. 

To address the wearout and degradation concerns, we rely on the accelerated tests of components and 
durability tests (described previously). For moving parts particularly, even if the traditional life test 
approach could be carried out, a very large amount of accrued test time might be required due to the no- 
contact design characteristics. Instead, it is better to perform durability tests that simulate overstress 
conditions that might lead to the potential rubbing and subsequent debris generation. Certainly, 
workmanship and quality assurance control of the high dimension tolerances also help to ensure a long 
life operation. 

For each system in the extended operation life test, we have recommended to use an integrated ASC- 
ACU configuration. Even interim versions of the ACU before flight could provide a better 
understanding of the interface between the two subsystems. The objective of the ACU presence is not 
about electronic parts life testing but to understand the interface and to characterize all operating 
conditions. 

H. Reliability Prediction With FTA System Model 

The final step of reliability demonstration is to integrate the risks and interpret the results. As a probabilistic 
analysis, one could use either the Reliability Block Diagram or the FTA technique. In order to have a complete 
integration of risks derived from test results and analyses described above, we generated a system FTA model to 
predict the reliability. With sufficient knowledge and relevant test data, the typical FTA is a straightforward and 
systematic top-down method to provide both the overall system reliability and individual contributions at subsystem 
or component levels. The FTA model also provides the overall risk ranking and the list of cutsets or potential 
combination of failure events that lead to the top event. For specific mission phases and scenarios of interest, a series 
of conditional fault and event trees are necessary to determine the specific risks. 

IV. Conclusion 

The reliability demonstration approach for ASRG includes a series of steps that involve both analytical modeling 
and tests. The extensive knowledge accumulated throughout the development years allows not only a full system 
characterization but also a practical approach to test the long life requirement. As key to mission success, the risks 
associated with each life phase of the system must be understood and associated tests adequately planned. We also 
believe that like any other design, inherit and usage reliability are covered by sound design and good workmanship. 
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